Add openvpn setup

templates/nftables.j2

@@ -0,0 +1,35 @@
+#!/usr/bin/nft -f
+# vim:set ts=2 sw=2 et:
+# {{ ansible_managed }} {{ ansible_date_time.time }} {{ ansible_date_time.date }}
+
+table ip filter {
+  chain input {
+    type filter hook input priority 0; policy drop;
+
+    # allow established/related connections
+    ct state { established, related } accept
+
+    # early drop of invalid connections
+    ct state invalid drop
+
+    # allow from loopback
+    iifname lo accept
+
+    # allow icmp
+    ip protocol icmp accept
+
+    iifname "br0" tcp dport {{ ssh_port }} accept comment "SSH"
+    iifname "br0" tcp dport { {{ http_port }}, {{ https_port }} } accept comment "HTTP/HTTPS"
+
+    iifname "br0" tcp dport {{ vpn_mobile_port }} accept comment "OpenVPN TCP"
+    iifname "br0" udp dport {{ vpn_mobile_port }} accept comment "OpenVPN UDP"
+    iifname "br0" tcp dport {{ vpn_lan_port }} accept comment "OpenVPN LAN TCP"
+    iifname "br0" udp dport {{ vpn_lan_port }} accept comment "OpenVPN LAN UDP"
+
+    iifname { "tun0", "tun1" } tcp dport { {{ http_port }}, {{ https_port }} } ip saddr { 10.8.0.0/24, 10.8.1.0/24 } ip daddr 10.8.0.1/32 accept comment "HTTP/HTTPS"
+    iifname { "tun0", "tun1" } tcp dport {{ transmission_port }} ip saddr { 10.8.0.0/24, 10.8.1.0/24 } ip daddr 10.8.0.1/32 accept comment "Transmission"
+    iifname { "tun0", "tun1" } tcp dport { {{ syncthing_gui_port }}, {{ syncthing_protocol_port }} } ip saddr { 10.8.0.0/24, 10.8.1.0/24 } ip daddr 10.8.0.1/32 accept comment "Syncthing"
+    iifname { "tun0", "tun1" } tcp dport {{ mpd_port }} ip saddr { 10.8.0.0/24, 10.8.1.0/24 } ip daddr 10.8.0.1/32 accept comment "MPD"
+    iifname { "tun0", "tun1" } tcp dport {{ nfs_port }} ip saddr { 10.8.0.0/24, 10.8.1.0/24 } ip daddr 10.8.0.1/32 accept comment "NFS"
+  }
+}